WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: Laurian Gridinoc <laur () grapefruitdesign com>
Date: 20 Jun 2003 21:12:53 +0300
On Fri, 2003-06-20 at 19:08, Tim Greer wrote:
The most elegant way to control html input would be to parse it to a DOM tree and control it from there; I'm widely using Tidy to `correct' the input to XHTML, then by a simple XSL transformation I can filter/alter whatever elements I need.Can you give a real workd example of a URL link/anchor tag on how you would allow or disallow it from becoming active based on specific variables that would prevent an attack that would be a superior method over a regex example, such as I offered?
I can, it take surely more lines; but I was talking more to the markup handling and not on validating the values enclosed in attributes and/or text nodes; XSL has string functions which may be used to test and change attribute and text node values; you may use them or you may call external resources which may better handle them.
I consider filtering html as it was a mere string (i.e. using regexp or simple replace methods) pretty uncertain in results and not quite programming :) -- it's a language, it has a grammar, then use a parser.I don't see how anything would be better than a regex, but everyone has their preferences. TIMTOWTDI, I'm sure.
I just like (and consider it safe) to treat markup (sometime before) and apart from content.
You think regex's aren't quite programming? :()
No, regex's are wonderful & powerful tools (not always very readable), however, I was regarding the problem in this way: is tricky (read hard to debug) to treat the markup and the content at the same time (at index j in a string you might be in a tag name, a value or a comment - way too tricky to handle this context incertitude); in my suggestion I can treat content while I'm very sure of the context. Cheers, -- Laurian Gridinoc Chief Developer GRAPEFRUIT DESIGN www.grapefruitdesign.com www.gd.ro
Current thread:
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- <Possible follow-ups>
- Preventing cross site scripting Andrew Beverley (Jun 19)